Subject: Re: questions on package system
To: Antti Kantee <firstname.lastname@example.org>
From: Andrew Gillham <email@example.com>
Date: 03/13/2000 13:40:49
Antti Kantee writes:
> Hmmh, I remember using sup through a firewall once. IIRC sup uses port
> 871 and is quite strict about it. If you can trick it somehow, this
> shouldn't be a problem. I had something like the following:
> localhost:871 -> outsidefirewall:80
> outsidefirewall:80 -> supserver:871
> The downside is that it requires one box outside the firewall for
> redirect. And of course the firewall has to be a fly-through one, not a
> proxy thingie.
Ok, information is power. So they say.
If you want to "tunnel" a full ip stack, do the following:
1. Hack the 'socket' command to always connect to your proxy
server at port XXX and issue: (and read the response)
"CONNECT <the remote machine>:443 HTTP/1.0\n\n"
This is easy, though I don't have diff's as I haven't updated to
use the latest IPv6 socket patches.
2. Install a server out on the Internet with 'sshd -p 443' running.
3. Use 'ssh-ip-tunnel' on both ends, adding the following to .ssh/config.
ProxyCommand /path/to/socket my.tunnel.server 8080
Then 'ssh my.tunnel.server' should work, by connecting via "HTTPS" support
on your proxy. After this, ssh-ip-tunnel will give you a full IP stack
outside, and inside. You've just totally defeated your very expensive
firewall and overpaid security administrators. :-) Until they block your
site at the proxy, (moving target), or make the proxy verify there is SSL
on the HTTPS link. (then you get a SSL version of socket or something)
Anyway, if you have a machine inside *and* outside, you will pretty much
always have whatever access you want if your company/school/whatever allows
HTTPS CONNECT commands. Most everyone does, or e-commerce would be DOA.
I have a hacked version of socket that uses the following syntax:
% socket -t <remote host> <your proxy> <your proxy port>
This always connects to <remote host> port 443, which things like Squid
consider to be "safe ports" for CONNECT support.
This 'socket' is 5642 bytes gzipped, so I can send it to someone if they
want it, otherwise I have my sources around somewhere.
Andrew Gillham | This space left blank
firstname.lastname@example.org | inadvertently.
I speak for myself, not for my employer. | Contact the publisher.